Share via

Disable state computer objects after 30 days

Rick Angel 36 Reputation points
2021-01-25T22:26:22.907+00:00

We've been using the DOS command "dsquery computer -inactive 13 | dsrm -subtree -noprompt -c" to remove computers more than 90 days stale. I would like to add something to disable the accounts after 30 days. Is there a command similar to dsrm that would disable but not remove?

Second question. Is there a way to specify days rather than weeks? 13 weeks equals 91 days so that math works out well for a 90-day policy. 4 weeks is 28 days, but I prefer to use syntax that is exactly 30 days if that is possible since this will be documented in a company security policy.

I've seen some PowerShell examples but they all were calculating stale based on LastLogon which yields different results from dsquery. So if there is a PowerShell equivalent of dsquery I'm happy to use that instead. Please advise. Thanks.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory

Answer accepted by question author

Thameur-BOURBITA 36,531 Reputation points Moderator
2021-01-27T23:10:51.923+00:00

Hi @Rick Angel

Thanks for the reply. After running this command how do I see the list of computers more than 30 days inactive? This command run by itself seems to list all computers in the AD. Then I after seeing the list I would need to be able to disable them. I could use "Set-ADComputer -Remove" to delete the computers but I would prefer to disable them first and delete them later. Do you have any suggestions? 

#The first command let you to disable all inactive computer since 30 days  
 Get-ADComputer -filter (Enabled -eq '$True')  -Properties PasswordLastSet | Where {$_.Passwordlastset -ge (Get-date).AddDays(-30)} | Disable-ADAccount  
  
  
#The second command let you to delete disabled and inactive computer after 60 days   
 Get-ADComputer -filter filter (Enabled -eq '$false')  -Properties PasswordLastSet | Where {$_.Passwordlastset -ge (Get-date).AddDays(-60)} | Remove-ADobject

You can customize the command above following to your needs.

----------

please don't forget to mark helpful reply as answer

Was this answer helpful?

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Lazar Petrov 1 Reputation point
    2021-09-15T09:17:23.143+00:00

    What recommendations do you guys use for deciding when a object should be removed/disabled etc. ?

    Was this answer helpful?

    0 comments
  2. Anonymous
    2021-01-26T08:30:15.783+00:00

    Hello,

    Thank you so much for posting here.

    Hope something here might be helpful.
    https://gallery.technet.microsoft.com/scriptcenter/Move-and-disable-inactive-b1cf86c3#content

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?

    0 comments
  3. Thameur-BOURBITA 36,531 Reputation points Moderator
    2021-01-25T23:05:55.79+00:00

    Hi,

    You can get the inactive computer list based on PasswordLastset value instead of lastlogon. 

    Get-ADComputer -filter * -Properties PasswordLastSet | Where {$_.Passwordlastset -ge (Get-date).AddDays(-30)}

    Please don't forget to mark helpful reply as answer

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.